After a typical SIBOS evening – oh, Sake – woke up to a typical SIBOS morning with coffee from Franco, HSBC’s resident barista coffee maker.
Then into the first session of the day about cyberwars – are they a real threat?
Ably chaired by Paul Taylor, Technology and Telecoms Editor with the Financial Times, the panle comprised:
- David Bannatyne, Executive GM, Banking & Payments Systems, National Australia Bank;
- Mark Clancy, MD, Technology Risk Management, DTCC; and
- Srood Sherif, Group Chief Information Officer, National Bank of Abu Dhabi;
the debate went something like this (not quotes, but my highlights):
Bannatyne: we’re at risk 24 hours a day, no longer from 9 till 5.
Clancy: it’s a risk that needs to be managed and comes from four constituencies that can be summarised in the acronym CHEW – Criminals, Hactivists, Espionage and War.
Sherif: the issue is not just getting at our information but the market for the information you get – it’s far more insidious these days. Gangs sell to other gangs. Further issues can be politically motivated. For example we had a hacker group in Saudi who claimed they had gained access to financial information in Israeli accounts, and so the Israeli hackers attacked the Saudi and related banks, like ours. We get attacks thousands of times a day.
Clancy: We had many Distributed Denial of Services (DDoS) attacks in Q4 in the USA. The CEO of PNC Bank said that they were pummelled for 36 hours nonstop and the effect is that people can reach out and attack you from the other side of the planet and cause a significant impact. We also used to see DDoS attacks from consumer systems, but the attacks more recently are from colocation centres, which have higher bandwidth and are therefore far more onerous.
Bannatyne: we’ve seen attacks from things that are not even computers today. For example, things like the air conditioning units can be seeded with threats today as they have connectivity to systems. We also don’t have proprietary platforms anymore. Think of all the iPhones in this room that have internet connectivity for example. They are all potential threats to the system, and we have more connectivity today than we’ve ever had before. This massive connectivity creates massive exposures and risks, but you have to manage those. We monitor for phishing 24 hours a day and in Australia it’s far easier than say, in the USA, as we have just four banks so if you send out a phishing email you have a 25% chance of hitting the customer with the right bank.
Clancy: It’s like football, where the ball represents information. Your team can only win if you have the ball and score, and we are now very conscious that we need to have that ball and keep it.
Bannatyne: the trouble is that there’s more than one ball.
Sherif: In 2007 we were sharing five threats a month in the US bank community whereas, today, it’s around five attacks a day.
Bannatyne: the issue is that law enforcement is based upon geographic location, but these attacks are not coming from our geography. We get attacked at 3 o’clock in the morning from Russia, and the Australian system cannot deal with that. We’re also moving from two factor to three factor authentication, using voice verification on top of text message for one time passwords. This is to add to our SMS One Time Passwords (OTP). SMS OTP was introduced in 2004, but recently has been compromised by criminals gathering enough information about people using social engineering and phishing, and then taking over the person’s telephone number. So when we text the phone it gets diverted to the man in the middle but it was a good system for eight years which, in today’s world, is pretty good. And we have fixed it by using a fraud analytic to study the behaviour of response to the text message OTP along with adding voice verification, so it’s not completely broken.
Sherif: there’s a tension between security and access. Customers don’t like added security measures, such as OTP tokens, but we have to explain that it’s for their protection and communicate that better. It’s also a service based view. For example, as I checked in to the hotel here I got a call from my bank saying that the card was being used in japan and am I really there. This was at the checkin desk in real-time and that reassured me that the service is good.
(note: my bank just blocked the card after I echekd in so I had to call the bank at my cost)
Clancy: the issue here however is that the more you have to pay to minimise fraud and deliver good service, the higher the transaction cost to the customer. And for us, the issue is that you can see a missile when it’s fired against you. You can track where it came from. In cyberspace you cannot, you have no idea who launched the missile or from where.
Bannatyne: the issue about cost is more to do with who pays when there’s a compromise. Historically, it has been the banks but the weakness is the customer, and so the question of who pays will change. We will see more instances in the future where the customer pays.
Clancy: it’s a matter of customer education. Customers know that to walk down a small, dark alley in a bad part of town at night is risky, but if it’s a wide road on a sunny day it’s probably ok. We need to provide those skills for their online bank usage, so that they can make this risk assessment themselves and stay on the sunny side of the street.
Bannatyne: you don’t pay people anymore, you just pay bank account data, so that’s another part of the risk chain.
The panel then opened to questions and one was about sanctions, AML and fraud which garnered this response from David Bannatyne
We have saved our customers $1.5 million in the last 18 months because we see suspicious transactions being made to certain counterparties. For example, dodgy investment schemes that promise 25% returns or more, that we know are scams from the bank target details where the payment is being made. As a result, we stop the payment and call the customer to say you’re making a $25,000 payment to this bank account and are you aware it’s a dodgy scheme. We expect you’ve been cold called by these guys offering a good return on a biotech or similar investment and you will lose this money if you go ahead. That’s a great conversation to have with a customer because we are demonstrating value add and, as a result, this scheme now asks people who they bank with. That’s because they want to know if its with NAB. If the answer is yes, they say to them that we’re a bad bank and notoriously slow in making payments. Not surprising really.
A good panel debate and now off to the plenary ….